Microsoft fixes critical Office zero-day security flaw. Update ASAP!
Yesterday was Microsoft’s big “Patch Tuesday,” which unleashed various security updates against 56 new vulnerabilities. This rounds out the year with a whopping total of 1,139 vulnerabilities fixed throughout 2025. In addition to Windows and Office, these fixes also affect Azure, Copilot, Defender, Exchange, and PowerShell.
The next big update is scheduled for January 13th, 2026. Here’s a deeper look at all the security fixes across Microsoft’s products and services.
Microsoft Windows vulnerabilities
A large proportion of the vulnerabilities—38 this time—are spread across the various Windows versions (Windows 10, Windows 11, and Windows Server) for which Microsoft still offers security updates.
Windows 10 continues to be named as an affected system, even though support officially ended in October. This wasn’t the case with Windows 7, despite the ESU programme (Extended Security Updates).
CVE-2025-62221 is a high-risk Elevation of Privilege (EoP) vulnerability in the cloud file mini-filter driver that’s already being exploited for attacks in the wild. A successful attacker can even execute their code with system-level rights by combining this use-after-free (UAF) vulnerability with a Remote Code Execution (RCE) vulnerability, of which there are plenty. All supported Windows versions are vulnerable.
With CVE-2025-62454 and CVE-2025-62457, Microsoft has patched two more of the same type, but they aren’t being actively exploited.
Although there are no Windows vulnerabilities categorized as critical this month, Microsoft has fixed some potentially dangerous ones. For example, there’s an EoP and two Denial of Service (DoS) vulnerabilities in the DirectX graphics core. With CVE-2025-54100, Microsoft has eliminated a problematic RCE flaw in PowerShell that was already publicly known in advance. The Routing and Remote Access Service (RRAS) is also once again represented with three security vulnerabilities, including CVE-2025-62549 (an RCE vulnerability).
Microsoft Office vulnerabilities
Microsoft classifies two of the Office vulnerabilities as critical. According to Microsoft, one of them is already being exploited for attacks in the wild. We’ve gotten sparse details on the other vulnerabilities, which aren’t really searchable in the Security Update Guide.
Microsoft has fixed 15 vulnerabilities in its Office family of products, including 14 RCE vulnerabilities. Microsoft classifies two of these RCE vulnerabilities (CVE-2025-62554 and CVE-2025-62557) as critical, with the preview window being an attack vector. This means a successful attack can happen simply by clicking on a file that’s displayed in the preview, even if the user never actually opens it.
Microsoft categorizes the other Office vulnerabilities as high risk. Here, a user must actually open a prepared file for the exploit code to take effect (“open to own”). Six of these vulnerabilities affect Excel, three are in Word, and one each in Outlook and Access.
Microsoft Exchange vulnerabilities
Microsoft has fixed two vulnerabilities in Exchange Server. CVE-2025-64666 is an EoP vulnerability that was reported to Microsoft by the NSA. The second vulnerability, CVE-2025-64667, is a spoofing vulnerability.
Anyone still working with Exchange Server 2016 or 2019 may remain unprotected despite these updates, as both received their last updates in October. Fortunately, there’s a six-month ESU program for Exchange that runs until Patch Tuesday in April 2026.
Microsoft Edge vulnerabilities
The latest security update to Edge 143.0.3650.66 was released on December 4th and is based on Chromium 143.0.7499.41. It fixes several Chromium vulnerabilities. Microsoft has also fixed an Edge-specific vulnerability (CVE-2025-62223).
What's Your Reaction?
Like
0
Dislike
0
Love
0
Funny
0
Angry
0
Sad
0
Wow
0
